10/18/2018

Ask Our VP of Compliance: October 2018

The Scariest thing this Halloween is Audits

 

Cyber security is the protection of systems, networks and data from attack. Cyber security audits examine the threats, vulnerabilities ad risks facing your organization and address how to mitigate these risks. When assessing your cyber security there are three key areas to take into account: people, processes and technology. Thorough audits should be performed regularly not only to protect your organization but also to comply with legislation regarding protection of personal data. Digital Edge's VP of Compliance answers the most important questions regarding audits: 

 

What is the difference between a cyber security audit and a cyber security assessment?

 

Your organization has a number of cybersecurity policies in place. The purpose of a cybersecurity audit is to act as a ‘checklist’ that validate that what you’ve said in a policy is actually happening and that there’s a control mechanism in place to enforce it.

 

Both an audit and an assessment are formal processes, but there are some key distinctions between the two:

  • An audit is more formal than an assessment. 
  • An audit must be performed by an independent third-party organization, and that third party typically must have some kind of certification. (An organization can have an internal audit team, but that team should act as an independent agency.)

 

While a cybersecurity audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. And the fact that a control exists does not necessarily mean that it is effective in mitigating cyber risk. For example, your cybersecurity auditors might check a box that says you have a firewall in place to reduce the number of websites employees can visit while using company equipment. But if that firewall isn’t properly configured, then the firewall might be useless. So just because you have a control in place, does not mean that the control is an effective one.

It is for this reason that cybersecurity assessments are often conducted. An assessment can be a formalized process, but the person or organization conducting the assessment does not need to be an auditor per se. If you’re trying to develop a complete picture of your cybersecurity posture, a cybersecurity assessment will help you kick the tires on current technology, documentation, network configuration, and overall effectiveness.

 

 

What do I need to have in place for Incident Response?

 

Within a cyber security audit it is necessary to assess the availability and strength of plans for when things go wrong. Your response policy must be tested to see how it performs under pressure. An effective crisis management plan helps to ensure business continuity in the midst of security breakdown and also to quickly mitigate repercussions. Some such repercussions are loss of reputation, legal action and damage to those whose data is affected. A crucial foundation of incident response is rapid detection. Automated detection tools should be in place to facilitate early discovery.

 

 

What if users are my Biggest Security Risk?

 

Users are more often than not the cause of cyber security breaches. Be this accidental, through lack of education, or deliberate, by a disgruntled employee. Despite there being little we can do about the latter, there is much to be done about lack of education and knowledge. Thorough cyber security education, training, and regular refreshers helps to ensure your staff remain vigilant to any potential breaches e.g. phishing emails, malware attachments and suspicious activity. Cyber security training is the silver bullet of cyber security.

 

 

Why are Cyber Security Audits Important?

Cyber security audits are essential in allowing you to identify vulnerabilities in your organization before they are exploited. Were these vulnerabilities to be exploited by cyber criminals, you may find yourself the victim of cyber-crime. Individuals' personal data is often unlawfully obtained in cyber security breaches. Not only can this have frightful effects on the individual affected, such as identity theft, but it can also damage your business.

 

In an increasingly digitized world, we value privacy and are committed to protecting your personal information. Data and its protection are at the core of everything Digital Edge does. As such, our business is built on Stability, Security, Efficiency, and Compliance, enabling us to protect our customers’ most valuable assets. We are committed to complying with the new legislation and will collaborate with partners throughout this process.

 

Still have questions? Feel free to contact myself, Danielle V. Johnsen, at 718-210-1698 or djohnsen@digitaledge.net  or our Cyber Security Compliance team at compliance@digitaledge.net

Was this article helpful?
Danielle Johnsen
VP of Compliance

Danielle V. Johnsen joined the Digital Edge team in 2015 as the VP of Compliance.  With a passion for information security and organizational compliance, Danielle’s vision is to enable collaboration between 'The Business' and Information Technology, thus creating common objectives and outcomes that benefit the organization, while staying in compliance with all regulatory bodies and companywide policies. Specializing in security frameworks and policies such as: ISO 9001, ISO 27001, NYS DFS 500, NIST, HIPPA, GDPR, PCI, OSPAR, and more!